日志管理工具Graylog搭建

Posted 2020-10-26 bazingafraser

日志管理工具--Graylog

Graylog+mongodb+elasticsearch日志管理架构搭建

一、mongodb安装

1、添加mongodb安装镜像

[[email protected] package]# vim /etc/yum.repos.d/mongodb-org-3.0.repo

[mongodb-org-3.0]

name=MongoDB Repository

baseurl=http://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.0/x86_64/

gpgcheck=0

enabled=1

2、yum安装mongodb

[[email protected] package]# yum install -y mongodb-org

[[email protected] package]# vi /etc/yum.conf

最后一行添加：

exclude=mongodb-org,mongodb-org-server,mongodb-org-shell,mongodb-org-mongos,mongodb-org-tools

3、启动mongodb并加入系统开机自启动

[[email protected] package]# service mongod start

Starting mongod:                                           [  OK  ]

[[email protected] package]#chkconfig mongod on

查看端口是否启动：

 

4、优化服务器内核参数

[[email protected] package]# vim /etc/security/limits.conf

最后一行添加

*                soft    nproc           65536

*                hard    nproc           65536

mongod           soft    nproc           65536

 

*                soft    nofile          131072

*                hard    nofile          131072

5、修改启动脚本配置

[[email protected] package]# vim /etc/init.d/mongod

ulimit -f unlimited行前插入一下内容：

 

if test -f /sys/kernel/mm/transparent_hugepage/enabled; then

    echo never > /sys/kernel/mm/transparent_hugepage/enabled

  fi

  if test -f /sys/kernel/mm/transparent_hugepage/defrag; then

    echo never > /sys/kernel/mm/transparent_hugepage/defrag

  fi

6、重启mongodb

[[email protected] package]# /etc/init.d/mongod restart

Stopping mongod:                                           [  OK  ]

Starting mongod:                                            [  OK  ]

[[email protected] package]#

二、Elasticsearch安装

1、依赖环境Jre安装

wget "http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jre-8u131-linux-x64.rpm?AuthParam=1500362928_8aa25a02f542f908485e61d3e3de8e39"

[[email protected] package]# rpm -ivh jre-8u131-linux-x64.rpm

Preparing...                ########################################### [100%]

   1:jre1.8.0_131           ########################################### [100%]

Unpacking JAR files...

plugin.jar...

javaws.jar...

deploy.jar...

rt.jar...

jsse.jar...

charsets.jar...

localedata.jar...

[[email protected] package]# java -version

java version "1.8.0_131"

Java(TM) SE Runtime Environment (build 1.8.0_131-b11)

Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

[[email protected] package]#

2、添加elasticsearch镜像

[[email protected] package]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

[[email protected] package]# vim /etc/yum.repos.d/elasticsearch.repo

 

[elasticsearch-1.5]

name=Elasticsearch repository for 1.5.x packages

baseurl=http://packages.elastic.co/elasticsearch/1.5/centos

gpgcheck=1

gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch

enabled=1

3、安装启动

[[email protected] package]# yum -y install elasticsearch

[[email protected] package]# chkconfig --add elasticsearch

[[email protected] package]# vim /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog

[[email protected] package]# /etc/init.d/elasticsearch start

Starting elasticsearch:                                    [  OK  ]

[[email protected] package]#

查看端口是否正常开启：

 

4、测试

三、graylog安装

1、下载rpm包

wget https://packages.graylog2.org/repo/el/6Server/1.0/x86_64/graylog-web-1.0.2-1.noarch.rpm

wget https://packages.graylog2.org/repo/el/6Server/1.0/x86_64/graylog-web-1.0.2-1.noarch.rpm

2、安装

[[email protected] package]# rpm -ivh graylog-server-1.0.2-1.noarch.rpm

warning: graylog-server-1.0.2-1.noarch.rpm: Header V3 RSA/SHA1 Signature, key ID b1606f22: NOKEY

Preparing...                ########################################### [100%]

   1:graylog-server         ########################################### [100%]

[[email protected] package]# rpm -ivh graylog-web-1.0.2-1.noarch.rpm

warning: graylog-web-1.0.2-1.noarch.rpm: Header V3 RSA/SHA1 Signature, key ID b1606f22: NOKEY

Preparing...                ########################################### [100%]

   1:graylog-web           ########################################### [100%]

[[email protected] package]#

3、安装密码生成工具

[[email protected] package]# wget "https://jaist.dl.sourceforge.net/project/pwgen/pwgen/2.07/pwgen-2.07.tar.gz" --no-check-certificate

[[email protected] package]# tar -xvzf pwgen-2.07.tar.gz

[[email protected] package]# cd pwgen-2.07

[[email protected] pwgen-2.07]# ./configure

[[email protected] pwgen-2.07]# make &&make install

4、生成后台登录的密钥（server端配置）

[[email protected] package]# pwgen -N 1 -s 96

dlpczsPk5onyxfuvzEofWf9hImti8gy1IuwGHEU8hgK7mJ0n1ONRP1RhmUoOfbjebY9ntcSJisMnyFdDCqFTTc0gTXiXE5Gm

[[email protected] package]#

[[email protected] package]# vim /etc/graylog/server/server.conf

password_secret=dlpczsPk5onyxfuvzEofWf9hImti8gy1IuwGHEU8hgK7mJ0n1ONRP1RhmUoOfbjebY9ntcSJisMnyFdDCqFTTc0gTXiXE5Gm

[[email protected] package]# echo -n zc1215 | sha256sum

333afba6e2b8b480168b0c7704099cfb15e546f3cdf57e97c4b58cf9a3d8e398  -

[[email protected] package]#

[[email protected] package]# vim /etc/graylog/server/server.conf

root_password_sha2=333afba6e2b8b480168b0c7704099cfb15e546f3cdf57e97c4b58cf9a3d8e398

root_username = dengluyonghu

elasticsearch_cluster_name = graylog

5、启动server端

[[email protected] package]# /etc/init.d/graylog-server start

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option PermSize=128m; support was removed in 8.0

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0

 

[[email protected] package]#

该报错可以忽略

6、生成后台登录密钥（web端配置）

[[email protected] package]# pwgen -N 1 -s 96

dlpczsPk5onyxfuvzEofWf9hImti8gy1IuwGHEU8hgK7mJ0n1ONRP1RhmUoOfbjebY9ntcSJisMnyFdDCqFTTc0gTXiXE5Gm

[[email protected] package]#

[[email protected] package]# vim /etc/graylog/web/web.conf

graylog2-server.uris="http://127.0.0.1:12900/"

application.secret="dlpczsPk5onyxfuvzEofWf9hImti8gy1IuwGHEU8hgK7mJ0n1ONRP1RhmUoOfbjebY9ntcSJisMnyFdDCqFTTc0gTXiXE5Gm”

注意：/etc/graylog/web/web.conf中的graylog2-server.uris必须与/etc/graylog/server/server.conf中的rest_listen_uri一致

7、启动web端

[[email protected] package]# /etc/init.d/graylog-web start

Starting graylog-web:                                      [  OK  ]

[[email protected] package]#

8、测试

浏览器中输入URL：http://103.227.76.20:9000可以进入graylog登录页面

管理员账号和密码：dengluyonghu/zc1215

 

四、添加日志收集器

1、创建tcp端口检测

进入 System > Inputs > Inputs in Cluster > Raw/Plaintext TCP | Launch new input，取名"tcp 5555" 完成创建

完成之后在任何安装NC的linux机器上执行：

echo `date`|nc 103.227.76.20 5555

浏览器的http://103.227.76.20:9000登录首页之后，点击第三行绿色的搜索按钮，看到一条消息：如下截图：

 

说明安装成功

2、创建http端口检测

进入 System > Inputs > Inputs in Cluster > GELF HTTP | Launch new input，取名"http 12201" 完成创建

 

测试：

在任何安装了curl的linux机器上执行：

curl -XPOST http://103.227.76.20:12201/gelf  -p0 -d ‘{"short_message":"Hello there", "host":"example.org", "facility":"test", "_foo":"bar"}‘

浏览器的http://103.227.76.20:9000登录首页之后，点击第三行绿色的搜索按钮，看到一条消息：如下截图：

说明GELF HTTP Input设置成功！！

3、设置时区

[[email protected] shell]# vim /etc/graylog/server/server.conf

root_timezone = Asia/Shanghai

[[email protected] shell]# vim /etc/graylog/web/web.conf

timezone="Asia/Shanghai"

重启服务

[[email protected] shell]# /etc/init.d/graylog-server restart

[[email protected] shell]# /etc/init.d/graylog-web restart

五、发送日志到Graylog服务器

1、使用http协议发送日志

curl -XPOST http://103.227.76.20:12202/gelf -p0 -d ‘{"short_message":"Hello there", "host":"example.org", "facility":"test", "_foo":"bar"}‘

2、使用tcp协议发送日志

echo "hello, graylog" | nc 103.227.76.20 5555

3、结合inotifywait收集php-error.log日志

gather-php-log.sh   【该脚本是通过inotifywait进行实时检测日志并发送到graylog服务端的脚本】

#!/bin/bash

app=php-error

node=$HOSTNAME

log_file=/data/weblogs/php-fpm-error.log

graylog_server_ip=223.202.208.85

graylog_server_port=12201

 

while inotifywait -e modify $log_file; do

    last_size=`cat ${app}.size`

    curr_size=`stat -c%s $log_file`

    echo $curr_size > ${app}.size

    count=`echo "$curr_size-$last_size" | bc`

    python read_log.py $log_file ${last_size} $count | sed ‘s/"/\\\\\\\\\\"/g‘ > ${app}.new_lines

    while read line。

    do

        if [ 0 -lt 1 ]; then

curl -XPOST http://103.227.76.19:12201/gelf -p0 -d "{\\"short_message\\":\\"$line\\", \\"host\\":\\"${graylog_server_ip}\\", \\"facility\\":\\"php-error\\"}"

            echo "gathered -- $line"

        fi

    done < ${app}.new_lines

done

file=/data/shell/php-error.new_lines

if [ ! -s $file ];then

echo "文件为空，日志无异常"

else

cat /data/shell/php-error.new_lines |grep "php"|grep -v "php-fpm">/data/shell/${app}.new_lines2

file2=/data/shell/php-error.new_lines2

if [ ! -s $file2 ];then

echo "无异常"

else

echo -e "详情请登录：http://103.227.76.19:9000进行查看\\n `cat /data/shell/php-error.new_lines`" |mutt -s "php错误日志"

[email protected]

fi

>/data/shell/${app}.new_lines

>/data/shell/${app}.new_lines2

fi

read_log.py   【读取获取到的日志脚本】

#!/usr/bin/python

#coding=utf-8

import sys

import os

 

if len(sys.argv) < 4:

  print "Usage: %s /path/of/log/file print_from count" % (sys.argv[0])

  print "Example: %s /var/log/syslog 90000 100" % (sys.argv[0])

  sys.exit(1)

 

filename = sys.argv[1]

if (not os.path.isfile(filename)):

  print "%s not existing!!!" % (filename)

  sys.exit(1)

 

filesize = os.path.getsize(filename)

 

position = int(sys.argv[2])

if (filesize < position):

  print "log file may cut by logrotate.d, print log from begin!" % (position,filesize)

  position = 0

 

count = int(sys.argv[3])

fo = open(filename, "r")

 

fo.seek(position, 0)

content = fo.read(count)

print content.strip()

 

# Close opened file

fo.close()